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1  Introduction 

The  problems  that  arise  during  reliability  analysis  of  a  fault  tolerant  computer  system  can  be 
broadly  classified  into  those  relating  to  the  construction  of  the  model,  and  those  relating  to  the 
solution  of  the  model.  The  construction  of  a  model  of  a  complex  fault  tolerant  system  consists  of 
selecting  an  appropriate  “language”  for  the  description  of  the  system,  abstracting  the  important 
characteristics  of  the  system  to  be  studied,  and  expressing  these  characteristics  in  the  description 
language.  The  underlying  stochastic  representation  of  the  system  can  then  be  automatically  de¬ 
termined  from  the  description  language;  the  solution  of  the  underlying  stochastic  process  provides 
estimates  of  the  desired  measures.  Some  examples  of  modeling  languages  that  are  appropriate  for 
simplifying  the  model  construction  task  are  combinatorial  models,  such  as  reliability  block  dia¬ 
grams  [20l  and  fault  trees  [2].  Such  combinatorial  models  are  useful  because  they  provide  a  concise 
representation  of  the  system;  however,  they  are  not  able  to  model  the  dynamic  system  behavior  in 

response  to  a  fault  or  an  error.  ,  .  ,  i.  j  i  ♦ 

The  first  topic  considered  under  the  auspices  of  tliis  grant  was  concerned  with  the  development 

of  techniques  for  incorporating  fault  and  error  modeling  techniques  into  combinatorial  models.  A 
second  area  of  research  conducted  under  the  current  contract  concerns  the  development  of  fast, 
accurate  algorithms  for  the  solution  of  fault  tree  models.  Several  different  techniques  were  devd- 
oped  for  producing  bounded  approximations  for  both  static  and  dynamic  combinatorial  models. 
(The  techniques  were  applied  specifically  to  fault  trees,  but  are  also  applicable  to  reliability  block 
diagrams.)  Techniques  for  the  consideration  of  truncated  fault  trees  were  derived  which  could  be 
used  to  produce  bounded  estimates  of  system  reliability  from  partially  developed  fault  trees. 

Other  topics  considered  indude  the  analysis  of  phased  missions;  a  new  technique  for  combining 
modds  for  multiple  phases  was  derived.  We  also  investigated  the  problem  of  sequence  dependencies. 
Three  different  types  of  sequence  dependendes  were  defined,  and  assodated  solution  techniques 
were  devdoped.  Papers  describing  the  results  of  these  two  efforts  are  in  preparation,  and  wiU  be 
submitted  as  they  are  completed. 
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2  solution  of  Dynamic  Combin.tori.l  Models 

2.1  Background  a  concise  represen- 
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using  the  Tnew  sl'Ln 

nrr“^.hoa, .:.  ^ua .. 

(aI'w  wo'lS:  ;"S”s^.u»to  ^-'op”>“‘ »'  "•=•  1.— p™*'^ 

r  •  A  n-  »r.nv  iruuraline  the  model  ^as  developed.  Since  the  model 
Second,  a  technique  ^  njodel  can  be  truncated  at  any  point  in  the 

construction  and  solution  phases  are  be  nroduced.  If  the  bounds  are  determined 

process,  and  bounds  on  the  reliability  of  the  sj  s  e  method  may  be  contrasted 
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3  Reduced  Fault  TVee  Models 


FnnI.  „«  models  »n  .-nil  accepted  and  f  u™ 

otfanlt  tteet  .ilk  many  kaeicevrats  ■«  f  ^"oped’eeteral  leckniqae.  tkat  can  ke  ased  to 

and  in  solving  the  model  once  it  is  developed.  \^e  d^eloped  severaJ  tec  ^ 

reduce  the  effort  associated  wth  pjj.5t  developed  two  different  techniques 

techniques  addressed  three  different  kinds  o  p  •  >  models  The  first  technique 

reliability  of  complex  fault  tolerant  sjstems.  model  of  a  system  (as  con- 

We  also  developed  two  methods  for  reduang  the  act  .  .  ,  ^jee  model).  We 
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Systems  and  will  be  published  in  the  proceedings. 

4  Phased  Missions 

Faait  Uticraa.  aya.aatc  aca  dUn  aaed  i„  ati^ioas 

rac^r 

the  initial  conditions  for  the  beginning  of  the  second  phase. 
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We  developed  a  methodologj’  for  automated  analysis  of  phased  missions,  based  on  a  Markj 
chain  solution.  Assuming  that  the  phase  change  times  are  deterministic,  we  presented  a  methodol¬ 
ogy  for  combining  models  for  each  phase  into  one.  This  results  in  a  model  that  can  be  substanti^y 

sSuer  than  what  is  required  by  other  methods.  We  defined  a  unified  v  “odd  A 

separate  phases  using  fault  trees,  and  for  constructing  and  solving  the  resulting  Marko%  model  A 
paper  describing  this  work  is  being  prepared  for  submission  to  IEEE  TransacUons  on  RehahUty  . 


5  Fault  Trees  and  Sequence  Dependencies 

A  major  disadvantage  of  fault  tree  analysis  is  the  inability  of  fault  tree  models  to  capture  sequence 
dependencies  in  the  system,  and  still  allow  an  analytic  solution.  Systems  exlubiting  ^ 

sequence  dependencies  are  usually  modeled  via  Markov  models.  Markov  models  have  the  ^dv^jta  e 
of  providing  the  flexibility  to  model  a  very  large  class  of  systems,  but  have  the  disadvantage  of  being 

difficult  to  construct.  ,  ,  .  -i,-  _ 

The  gap  between  fault  trees  and  Markov  chains  can  be  narrowed  by  describing  as  much  of 

the  system  as  possible  in  terms  of  a  fault  trees,  converting  the  fault  tree  (automatically)  o  a 
Markov  chain  and  then  altering  the  Markov  chain  to  reflect  the  behavior  that  cannot 
in  the  fault  tree  model.  This  approach  has  been  used  successfully  in  HARP,  where  the  redund.mcy 
management  and  fault  and  error  handling  behavior  of  the  system  is  automatically  incorporated 
into  the  Markov  chain  that  is  constructed  from  the  fault  tree  description. 

There  are  several  different  kinds  of  sequence  dependencies  in  fault  tolerant  systems,  ^^e  iden¬ 
tified  three  such  dependencies,  and  described  the  definition,  implementation  and  appbwtion  of 
specific  gates  to  express  these  behaviors  in  fault  tree  models.  The  use  of  these  gate  types  stiU  allow 
an  analytic  solution,  and  are  useful  in  modeling  complex  fault  tolerant  systems.  ... 

The  first  type  of  sequence  dependency  we  described  is  termed /unc/tona/  Jependencyand  it  arises 
in  the  following  situation.  Suppose  that  the  failure  of  some  component  A  causes  components  B 
and  C  to  become  inaccessible  or  otherwise  unusable,  so  that  they  should  also  be  considered  to  have 
failed.  That  is,  components  B  and  C  are  functionally  dependent  on  component  A.  However,  the 
failure  of  either  B  or  C  does  not  affect  the  functionality  of  A.  We  present  a  functional  dependency 

gate  to  model  this  situation.  ,  ,,  / 

The  second  type  of  sequence  dependency  investigated  arises  from  the  use  of  cold  spares  (spares 
that  can  not  fail  until  switched  into  active  operation).  If  component  B  is  a  cold  spare  for  component 
A,  then  the  failure  of  component  B  cannot  occur  until  after  A  has  failed  and  .B  is  switched  in  o 
active  operation.  We  introduced  a  cold  spare  gait  to  model  this  situation,  and  developed  an  analytic 

solution  of  the  resulting  model.  .  ^  c...,rx«c» 

The  third  type  of  sequence  dependency  considered  occurs  in  the  foUowmg  situation.  Suppose 

that  components  A  and  B  have  both  failed,  but  system  failure  occurs  only  if  A  fmled  before  .B  did. 
If  B  failed  before  A  did,  then  the  system  is  still  operational.  We  defined  an  implementation  of  e 
Prioriiy  AND  gate  flSlllC]  to  model  this  situation.  Our  implementation  allows  an  exact  solu  ion, 
and  is  comparable  to  Fussel’s  solution.  A  paper  describing  tWs  work  [10]  will  be  presented  at 
Reliability  and  MainiainobUHy  Symposium,  and  will  be  published  in  the  proceedings. 


6  References 


[1]  P.  S.  Babcoclc.  An  introduction  to  reliability  modeling  of  fault-tolerant  systems.  Technical 
Report  CSDL-R-1899,  C.  S.  Draper  Laboratory,  Inc.,  Cambridge,  MA,  September,  1986. 

[2]  R.  E.  Barlow  and  H.  E.  Lambert.  Jntrodvction  io  Fault  Tree  Analysis,  pages  7-35.  Society  for 
Industrial  and  Applied  Mathematics,  Philadelphia,  PA,  1975. 

[3]  R.  G.  Bennetts.  On  the  analysis  of  fault  trees.  IEEE  Transactions  on  ReUabiliiy,  R-24(3):194- 
203,  August  1975. 

[4]  Andrea  Bobbio  and  K.  S.  Trivedi.  An  aggregation  technique  for  the  transient  analysis  of  stiff 
Markov  chains.  IEEE  Transactions  on  Computers,  C-35(9):803-814,  September  1986. 

*  [5]  M.  A.  Boyd,  M.  Veeraragha^’an,  Joanne  Bechta  Dugan,  and  K.  S.  TVivedi.  An  approach  to 

solving  large  reliability  models.  In  AIAA/IEEE  Digital  Avionics  Systems  Conference,  San 
Jose,  CA,  October  1988. 

[6]  Mark  A.  Boyd.  Converting  fault  trees  to  Markov  chains  for  reliability  prediction.  Master’s 
thesis,  Duke  University,  Department  of  Computer  Science,  1986. 

[7]  Joanne  Bechta  Dugan.  Extended  Stochastic  Petri  Nets:  Applications  and  Analysis.  PhD  thesis. 
Department  of  Electrical  Engineering,  Duke  University,  1984. 

*  [8]  Joanne  Bechta  Dugan.  Automated  analysis  of  phased  mission  reliability.  IEEE  TYansactwns 

on  Reliability,  1989.  Submitted. 

*  [9]  Joanne  Bechta  Dugan.  Fault  trees  and  imperfect  coverage.  IEEE  Transactions  on  Reliability, 

June  1989. 

*  [10]  Joanne  Bechta  Dugan,  Salvatore  Bavuso,  and  Mark  Boyd.  Fault  trees  and  sequence  depen¬ 

dencies.  In  Proceedings  of  the  Reliability  and  Maintainability  Symposium,  1989.  To  appear. 

[ll]  Joanne  Bechta  Dugan,  K.  S.  Ttivedi,  Mark  K.  Smotherman,  and  Robert  M.  Geist.  The  hybrid 
automated  reliability  predictor.  AIAA  Journal  of  Guidance,  Control  and  Dynamics,  9(3):319- 
331,  May-June  1986. 

*  [12]  Joanne  Bechta  Dugan,  Malathi  Veeraraghaven,  Mark  Boyd,  and  Nitin  Mittal.  Bounded  ap¬ 

proximate  reliability  models  for  fault  tolerant  distributed  systems.  ^In  Proceedings  Sih  Sympo- 
stum  on  Reliable  Distributed  Systems,  1989. 

[13]  J.  B.  FusseD,  E.  F.  Aber,  and  R.  G.  Rahl.  On  the  quantitative  analysis  of  priority-and  failure 
logic.  IEEE  Transactions  on  Reliability,  R-25(5):324-326,  December  1976. 

[14]  J.  B.  Fussell  and  W.  E.  Vesely.  A  new  methodolog}'  for  obtaining  cut  sets  for  fault  trees. 
Tron^ac/ions  of  the  American  Nuclear  Society,  15:262,  1972. 

[15]  A.  Goyal,  W.  C.  Carter,  E.  de  Souza  e  Sih'a,  S.  S.  Lavenberg,  and  K.  S.  Trivedi.  The  system 
availability  estimator.  In  Proceedings  of  the  Sixteenth  International  Symposium  on  FaulU 
Tolerant  Computing,  pages  84-89,  July  19S6. 

[IG]  E.  J.  Henley  and  H.  Kumamoto.  Reliability  Engineering  and  Risk  Assessment,  rrcntice-llall, 
1981. 

*  acknowledges  grant 

C 


,17)  W.  S.  Ue,  D.  1.  G,o.h,  F.  A. 

appUcsIions  —  a  review.  lEBE  Tnmcrhmi  on  RelwhMn,  R.34(3).l  E" 

,181  Mitehdl  0.  Locka,  Recnralve  disjoint  predncu,  lad«aion.«elnaion, 

lions.  IEEE  3>,nree«ons  on  RMilii,.  R.29(5):368-371,  December  1980. 

j  a  Prabbakar  New  topological  formula  and  rapid  algorithm  for  relia. 
bimy  an"co»plt;  ne, works.  WEE  Trensoctions  on  Rcliobiiiry.  R-27(.):82-iOO,  Inne 

,30)  D.'p.  Siewiorek  and  R.  S.  Swarz.  TU  n«^  end  FmCie.  o/R.K.W.  Spstem  Derijn.  Digital 
Press,  Bedford,  MA,  19S2. 

1211  K.  S.  TYivedi.  EMilili  ond  StoKstic.  wM  RcKeMily,  Onencins  ond  Conrpoler  Sefence 
Applications.  Prentice-Hall,  Englewood  Cliffs,  NJ,  1982. 


